Using SSH Keys for Authentication in Privileged Access Management

Andy Harris

Osirium’s PxM Platform can use both passwords and SSH Keys for the role-based connections where the device supports keys.
In general SSH keys are the preferred method for connecting to cloud based systems such as AWS and Azure. The prime reason is that keys have a lot more entropy than any password memorable cloud-based
It’s important to remember that the PxM Platform is proxying the connection between the client and the device. As part of this process it injects the keys or credentials server side before linking the proxied connection sockets to the client.
This means that Osirium can associate SSH Keys with role based accounts. Therefore, inbound identities can be policy mapped to allow access to these accounts. Furthermore, providing that the private keys are not moved from the PXM platform, only the PxM Platform can use this authentication method. Therefore lateral movement and bypass are negated.
SSH Key support is on a per template basis. Therefore, the device template needs to have a section like this example taken from our Ubuntu template:
[XML]
<task name="”user_set_ssh_public_key”" type="”status”"></task>
<commands></commands>
<command noecho="”yes”">sudo mkdir -p ~%(username)s/.ssh/
<command noecho="”yes”">sudo chown -R %(username)s:%(username)s ~%(username)s/.ssh/
<command noecho="”yes”">sudo touch ~%(username)s/.ssh/authorized_keys
<command noecho="”yes”">sudo chown %(username)s:%(username)s ~%(username)s/.ssh/authorized_keys
<command noecho="”yes”">sudo chmod 600 ~%(username)s/.ssh/authorized_keys
<command noecho="”yes”">sudo bash -c ‘echo “%(ssh_public_key.new)s” >> ~%(username)s/.ssh/authorized_keys’
<success type="”ci_match”" value="””/"></success>
<failed type="”default”/"></failed>
<!– Safely removes the old public key if it is provided. –>
<command noecho="”yes”">sudo sed -i ‘\#%(ssh_public_key.old)s#d’ ~%(username)s/.ssh/authorized_keys
<conditions></conditions>
<testexists name="”ssh_public_key.old”/"></testexists>
<success type="”ci_match”" value="””/"></success>
<failed type="”default”/"></failed>
[/XML]
These methods are supported in both PxM Express and full version of the product, the PxM Platform.
If you’d like to know more, please watch the video below, or Contact Us.

Scott’s Simple SSH Setup for Privileged Access Management
Scott runs through using the PxM Platform for Privileged Access Management using SSH keys to Ubuntu Linux and AWS Platforms.